Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable ntfs_forensics to differentiate between renamed & deleted files #25

Open
mike-myers-tob opened this issue Jul 26, 2018 · 0 comments
Open

Enable ntfs_forensics to differentiate between renamed & deleted files #25

mike-myers-tob opened this issue Jul 26, 2018 · 0 comments
Labels
enhancement ntfs_forensics Related to the NTFS forensics extension

Comments

@mike-myers-tob
Copy link
Contributor

Differentiating between entries from renamed files and entries from deleted files in ntfs_indx_data table:

since directory indices are filename-based, renaming a file will in effect cause the old entry to be marked as inactive, and create a new entry in the index. Differentiating a renamed file from a deleted one will require additional analysis.

It might take some studying to know whether it can be done. If it's just not feasible, then it could be addressed as a note in the extension's README.
@mike-myers-tob mike-myers-tob added enhancement ntfs_forensics Related to the NTFS forensics extension labels Jul 26, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement ntfs_forensics Related to the NTFS forensics extension
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mike-myers-tob